Cyber confusion at the heart of Government

Last week the Conservative chairman of the Defence Select Committee took the extraordinary step of writing to the Government to blast its response to the Committee’s recent report on cyber security. James Arbuthnot said the Government exaggerated the amount of money going to the Defence Science and Technology Laboratory’s Cyber and Influence Centre, was not acting quickly enough to secure military supply chains and were basically passing the civil cyber security buck.

Our world is constantly becoming ever more inter-connected. Ericsson estimates that by 2020, 50 billion ‘things’ will be connected to the internet. Other analysts put the number of connected devices in the trillions.

So it is ironic, at the very least, that this Government’s response appears to be to diffuse responsibility for cyber security in several disconnected Government silos – Cabinet Office, Defence, Home Office, Justice and BIS to name just five.

Our national infrastructure water, gas, electricity, telecoms and financial services are all linked together and will be more than ever in years to come. Much of it is in private hands. So our policy response must be equally joined up to meet the challenges we face.

But as well as Mr Arbuthnot’s criticisms, last month’s National Audit Office’s review into the UK cyber security strategy highlighted room for significant improvement in leadership and coordination across government.

This has been echoed by the former head of GCHQ and CESG head Nick Hopkinson, who said that the UK was lagging behind in our ability to respond to cyber-attacks because of a "lack of cohesion" across agencies.

Answers to my parliamentary questions reveal this confusion at the heart of and across Government. There is no agreed definition of cyber crime. It is not recorded by either the Home Office or the Justice Department. There has not been any assessment of the costs or benefits of recording cyber crime.

So we don’t know what we’re not doing and we don’t know why we’re not doing it.

Right now we have a £650million national cyber security strategy up to 2015. However, 60% of that has been put into the single intelligence account, I am not saying that the threat from governments, individuals and organised crime outside of our borders is not a significant risk.

But they are not the only cyber threat, and the economic consequences of commercial cyber attacks could be devastating. And, as we see in South Korea, commercial cyber security may be the basis for a national attack. We are only as strong as our weakest link, and in cyber space, it’s all linked!

We have had very little from Government in explaining where the risks lie and what resources are needed to deal with each of those risks.

And even less explanation in how we would respond, who will respond, and how all those responsible will work with each other.

There are 43 police forces in England and Wales plus numerous agencies and bodies that have an interest in cyber crime. We must ensure they are all properly coordinated.

As John Colley, head of (ISC)2 said in December, the Government’s cyber security strategy is too “fixated on high-level 'macro' security issues”.

Government should be doing more right across the cyber security spectrum.

When I meet software and technology businesses, they are concerned about the growing threat of cyber criminals, and our response to that threat.

Yet policing, education and training got a fraction of a £650m cyber security budget. The police got just £5m – on top of significant cuts. Which by the way the Prime Minister himself has said should be focused on the ‘backroom boys’ doing the IT rather than on the frontline. What the Prime Minister doesn’t get is that IT is part of the frontline.

Europol recently opened a new cyber crime centre. Yet the Home Secretary wants to ‘opt out’ of cross border cooperation on crime.

SMEs are the victim of three quarters of all successful data breaches. Yet the Government has no real resources or strategy for supporting SME cyber security.

And there is a chasm in their cyber strategy big enough to build out a GSM network. Ministers claim that their strategy covers mobile devices, but last December’s cyber security strategy update does not even mention it.

We increasingly bring our own devices to work. A recent report by HP found that 48% of mobile applications were vulnerable to unauthorised access. You don’t need a crystal ball to see internet mobility will grow.

And we don’t even have a strategy?

Economically, socially and geopolitically the virtual world is becoming as important and as complex as the real world.

We need to prioritise making sure our citizens can live safely in cyberspace.